I've created a subdomain for my parse app and I need to protect the connection while logging and during my session.
Assume that I don't have any public domain name and I will still use just the url of (mysubdomain.parseapp.com) then is all I need to get buy a certificate and get the two files for:
SSL Public Certificate
SSL Private Key
and just upload it to parse through the settings page ? or will I need to do something else ?
Just need a confirmation that my understanding is correct.
Kind Regards,
Robear
The private key would come from the server. A Certificate Authority is only going to give you a domain cert. For example "mysubdomain_parseapp.com_crt" and yes you'll need to upload the domain cert, private key (which is generated during the CSR request), plus the CA's intermediate cert (the CA should advise which one and where to download it).
In order for a CA to issue out a cert. You need to own the root domain or have permission by the owner. In your case you would need to prove that your the owner or have permision to purchase an SSL cert with "parseapp.com"
Related
A Certified Domain should be accessible only if SSL public certificate of the domain is already present in client's trust store. If not, client should prompt to import server certificate instead of getting it from tomcat server automatically(Via SSL handshake)
This will not work: the server has no knowledge which CA certificates are known to the client so the server cannot decide what to send to the client. Also, the server can only send a certificate to the client but not make the client import a new root CA - no matter if with or without prompt.
Apart from that it makes no sense: the idea of TLS/HTTPS is that the client will only connect to a server which identity can be verified. If the server can make a client import a new trusted root CA an attacker could do the same and thusman in the middle attacks would be possible.
If one instead just want to know if the client will trust a specific certificate or not one could include a resource (image, script...) served with this certificate into a known good HTML page and then check with some script in the page if the resource was loaded successfully. This check could also result in a redirect of the client, for example to some page describing the problem and linking to the correct root CA.
I inherited this server set up with my job and I'm trying to make sense of it...
Our domain's NS records point to Cloudflare (xxx.xxx.xxx.163). We have a valid cert with them.
Everything looks fine from the browser end and with online cert checkers for this cert.
On Cloudflare, the DNS 'A' record points to 3dCart.com (xxx.xxx.xxx.212). Here's where our web content resides.
But if I do a DNS lookup, I get the Cloudflare IP (xxx.xxx.xxx.163).
So it looks like the 3dCart server is totally transparent.
We currenlty have a second SSL with the 3dCart's ip (xxx.xxx.xxx.212).
Do we need to have this second cert?
I don't see how it can ever be accessed
Yes, you should have that origin certificate. Cloudflare accesses your origin site securely using that Origin Certificate. However, the Origin Certificate doesn't need to chain to a public root. You can let CloudFlare issue a free certificate from its private root CA or use a self signed certificate for your Origin certificate.
Can I use a certificate from letsencrypt to sign local certificates?
I'm annoyed when accessing routers and APs at 192.168.x.x to get security warnings.
I could create my own root cert, and import it into all my browsers etc, and create certs for all the local servers.
But I'd rather have the chain device -> www.example.com -> letsencrypt -> root
Then also guests could use my local servers/services without this security error.
No, you can not because the certificate issued to you by letsencrypt will not have the keyusage certificate signing enabled. Without this attribute in the issuer, any browser or SSL client musth reject the certificate.
If this were possible, anyone could issue valid certificates for any server simply by having a valid certificate from a trusted CA
If you want to issue certificates for your local servers you will need to create your own CA and include the root certificate in the truststore of each client
Yes, you can... but not like that
Yes, you can get certificates for servers on a private network. The domain must be a real domain with public txt records, but the A, AAAA, and CNAME records can be private/non-routable (or in a private zone).
No, the way to do that isn't by using Let's Encrypt certificates to sign local certificates.
You can accomplish exactly what you want to accomplish using the DNS-01 challenge (setting txt records for your domain).
Who is your domain / dns provider?
Immediate, but Temporary Solution
If you want to test it out real quick, try https://greenlock.domains and choose DNS instead of HTTP for the "how do you want to do this" step.
Automatable Integration
If you want a configurable, automatable, deployable solution try greenlock.js (there are node plugins for Cloudflare, Route 53, Digital Ocean, and a few other DNS providers).
Both use Let's Encrypt under the hood. Certbot can also be used for either case and can use python plugins.
Possibly related...
P.S. You might also be interested in a service like Telebit, localtunnel, or ngrok.
I want to generate and install SSL certificate for a sub-domain.
The sub-domain is used with a different server (A record points to the IP) and it's where I want to add the certificate.
It's a shared hosting, with CPANEL, so it's easy to generate and install certificates, but I'm not sure how I should generate and install SSL with this setup, without going into the domain settings... if it's possible, any suggestions?
If not, please explain what should be done in such case..
This is Class 2 certificate as provided by letsencrypt? Only 2 requirements need be met:
DNS entry for specific address: sub.domain.xxx
... which points to a web server where you have access to the index directory.
tools like getssl https://github.com/srvrco/getssl then can obtain the certificate by putting down a key in s sub directory for validation.
If your cPanel installation is up to date you could request that cPanels AutoSSL be enabled. This would then automatically get a signed certificate approved by comodo and install it on any domains or sub domains that have it enabled on the server via the interface.
I recently purchased a SSL certificate from my domain registrar (http://www.namecheap.com), and I'm trying to install it on my website in cPanel. The certificate I bought was PositiveSSL. I filled out a form on namecheap, and got an email with a thing that says -----Begin Certificate------ AbunchOfLetters -----End certificate ----
So in cPanel, I generated a private key. Then I went to "Manage SSL sites" in cPanel. I pasted in the certificate emailed to me in the first field, then put my generated private key in the second field. When I put the private key in, it says it doesn't match the certificate and I'm not able to install it.
I've been scratching my head at this for a while. Sorry if I missed something, I'm not very familiar with how SSL works, but would really appreciate some help. Thanks
You will have to add your private key which you have got while creating the CSR for the SSL, if you are not sure about that, Please contact your hosting provider for this. They will check it on the server and will install SSL on your domain with the correct private key.